package org.jboss.as.security.elytron;

import java.security.Principal;
import java.security.acl.Group;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import org.jboss.as.security.logging.SecurityLogger;
import org.jboss.as.security.plugins.SecurityDomainContext;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.jboss.security.mapping.MappingContext;
import org.jboss.security.mapping.MappingType;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.authz.Attributes;
import org.wildfly.security.authz.AuthorizationIdentity;
import org.wildfly.security.authz.MapAttributes;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.evidence.PasswordGuessEvidence;
import org.wildfly.security.evidence.X509PeerCertificateChainEvidence;

/* loaded from: input_file:org/jboss/as/security/elytron/SecurityDomainContextRealm.class */
public class SecurityDomainContextRealm implements SecurityRealm {
    private SecurityDomainContext domainContext;
    private final boolean applyRoleMappers;

    /* loaded from: input_file:org/jboss/as/security/elytron/SecurityDomainContextRealm$PicketBoxBasedIdentity.class */
    private class PicketBoxBasedIdentity implements RealmIdentity {
        private final Principal principal;
        private Subject authenticatedSubject;

        private PicketBoxBasedIdentity(Principal principal) {
            this.principal = principal;
        }

        public Principal getRealmIdentityPrincipal() {
            return this.principal;
        }

        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) throws RealmUnavailableException {
            return SecurityDomainContextRealm.this.getCredentialAcquireSupport(cls, str);
        }

        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
            return SecurityDomainContextRealm.this.getCredentialAcquireSupport(cls, str, algorithmParameterSpec);
        }

        public <C extends Credential> C getCredential(Class<C> cls) throws RealmUnavailableException {
            return null;
        }

        public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
            return SecurityDomainContextRealm.this.getEvidenceVerifySupport(cls, str);
        }

        public boolean verifyEvidence(Evidence evidence) throws RealmUnavailableException {
            if (SecurityDomainContextRealm.this.domainContext == null || SecurityDomainContextRealm.this.domainContext.getAuthenticationManager() == null) {
                throw new RealmUnavailableException();
            }
            Subject subject = new Subject();
            Object obj = evidence;
            if (evidence instanceof PasswordGuessEvidence) {
                obj = ((PasswordGuessEvidence) evidence).getGuess().clone();
            } else if (evidence instanceof X509PeerCertificateChainEvidence) {
                obj = ((X509PeerCertificateChainEvidence) evidence).getFirstCertificate();
            }
            boolean isValid = SecurityDomainContextRealm.this.domainContext.getAuthenticationManager().isValid(this.principal, obj, subject);
            if (isValid) {
                this.authenticatedSubject = subject;
            }
            return isValid;
        }

        public boolean exists() throws RealmUnavailableException {
            return this.authenticatedSubject != null;
        }

        public AuthorizationIdentity getAuthorizationIdentity() throws RealmUnavailableException {
            if (this.authenticatedSubject == null) {
                throw SecurityLogger.ROOT_LOGGER.unableToCreateAuthorizationIdentity();
            }
            MapAttributes mapAttributes = null;
            Set<Principal> principals = this.authenticatedSubject.getPrincipals();
            if (principals != null) {
                for (Principal principal : principals) {
                    if (principal instanceof Group) {
                        Set<String> processGroup = processGroup((Group) principal);
                        if (mapAttributes == null) {
                            mapAttributes = new MapAttributes();
                        }
                        mapAttributes.addAll(principal.getName(), processGroup);
                    }
                }
            }
            if (mapAttributes == null) {
                mapAttributes = Attributes.EMPTY;
            }
            return AuthorizationIdentity.basicIdentity(mapAttributes);
        }

        private Set<String> processGroup(Group group) {
            MappingContext mappingContext;
            HashSet hashSet = new HashSet();
            HashSet hashSet2 = new HashSet();
            Enumeration<? extends Principal> members = group.members();
            while (members.hasMoreElements()) {
                hashSet2.add(members.nextElement());
            }
            if (SecurityDomainContextRealm.this.applyRoleMappers && "Roles".equals(group.getName()) && SecurityDomainContextRealm.this.domainContext.getMappingManager() != null && (mappingContext = SecurityDomainContextRealm.this.domainContext.getMappingManager().getMappingContext(MappingType.ROLE.name())) != null && mappingContext.hasModules()) {
                SimpleRoleGroup simpleRoleGroup = new SimpleRoleGroup(hashSet2);
                HashMap hashMap = new HashMap();
                hashMap.put("Roles", simpleRoleGroup);
                if (this.principal != null) {
                    hashMap.put("Principal", this.principal);
                }
                mappingContext.performMapping(hashMap, simpleRoleGroup);
                Iterator it = simpleRoleGroup.getRoles().iterator();
                while (it.hasNext()) {
                    hashSet.add(((Role) it.next()).getRoleName());
                }
            }
            if (hashSet.isEmpty()) {
                Iterator it2 = hashSet2.iterator();
                while (it2.hasNext()) {
                    hashSet.add(((Principal) it2.next()).getName());
                }
            }
            return hashSet;
        }
    }

    public SecurityDomainContextRealm(SecurityDomainContext securityDomainContext, boolean z) {
        this.domainContext = securityDomainContext;
        this.applyRoleMappers = z;
    }

    public RealmIdentity getRealmIdentity(Principal principal) throws RealmUnavailableException {
        return new PicketBoxBasedIdentity(principal);
    }

    public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) throws RealmUnavailableException {
        return SupportLevel.UNSUPPORTED;
    }

    public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
        return SupportLevel.UNSUPPORTED;
    }

    public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
        return PasswordGuessEvidence.class.isAssignableFrom(cls) ? SupportLevel.SUPPORTED : X509PeerCertificateChainEvidence.class.isAssignableFrom(cls) ? SupportLevel.POSSIBLY_SUPPORTED : SupportLevel.UNSUPPORTED;
    }
}
